MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fb0f5d8aace8234fd8ed8d02b7d8b3643bbe5350904da254c2c0fdb16ecabe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fb0f5d8aace8234fd8ed8d02b7d8b3643bbe5350904da254c2c0fdb16ecabe3
SHA3-384 hash: c3dca7383c1dce69ac5e321037559fe22ffa238d35668686ed250e5a61a2c20d8d155d7fc6eddb6de95b84073f651107
SHA1 hash: 7a07424f29e149d13c0e29e4169fbe3c99eac19e
MD5 hash: e88e9dc9ad1c9c031b9ec12583f9f877
humanhash: ack-mockingbird-ten-apart
File name:SecuriteInfo.com.ArtemisE88E9DC9AD1C.3446
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'389'056 bytes
First seen:2020-11-12 19:04:18 UTC
Last seen:2024-07-24 14:10:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:pQY/JnxCBnEy8+DA7YsRT7eK88NJ/yPVn47gILNuTvG/DmkC:2
Threatray 1'156 similar samples on MalwareBazaar
TLSH 77555A3DAD8826A35177F277A4B906C6FEB4618672790C4F01C33A486C4AF163E9774E
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisE88E9DC9AD1C.3446.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533295
Signature
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fb0f5d8aace8234fd8ed8d02b7d8b3643bbe5350904da254c2c0fdb16ecabe3/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 14:16:26 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6yplwfkz2bdj7mo3dicw7mlgzb3xzjvbecnujkmfqh5wfxmvprq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
090b379ffd22f27e1070c2f56d6a7833a6f04451cd4b065571dd2e04e62faac5
AgentTesla
2be641fe6ad1a60bc76261ac08484fa678c36ead721e9d84dce7ba1388a91bd4
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0
AgentTesla
723ec630211ca5a3268bd62e03caeec38b40e5d33c0e80908fec14332f006988
AgentTesla
8bad16db1bd40fbc6e6fa8a9a9efd9f3bf8e95dd83af238625ee3f1f1ff1950c
AgentTesla
a21e38f8f6be5ca6ad235835b89f774e142683615b5bec677d3cf49fe78c2f16
AgentTesla
d5fa02045d60d623dacb74b1a719e571982f6a68ea7781c06f8d0ce104b98bd6
AgentTesla
dc6a499c7c08de87d5d986fbaf33a59debbc355d00b04d69f340d6d7c346e98d
AgentTesla
fcd3fc0e0c174c30b7e47217e65c18db028d52f2ef52c5f1b387b3c27f36b5ab
AgentTesla
+ 1'146 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201112-9xb6t7s2qn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4fb0f5d8aace8234fd8ed8d02b7d8b3643bbe5350904da254c2c0fdb16ecabe3
MD5 hash:
e88e9dc9ad1c9c031b9ec12583f9f877
SHA1 hash:
7a07424f29e149d13c0e29e4169fbe3c99eac19e
Link:
https://www.unpac.me/results/b8a9734f-d9e8-415e-8673-1797a591abed/
SH256 hash:
1edf992920e539eebe97ac570c0f2f0e07a0c2f678780d9fe10d9dc595fd7976
MD5 hash:
4613ee2cc51f9a4abfe7f5f8bc5f7c54
SHA1 hash:
3cbb083470a72716d1858771b33504ea66352832
Link:
https://www.unpac.me/results/b8a9734f-d9e8-415e-8673-1797a591abed/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/b8a9734f-d9e8-415e-8673-1797a591abed/
SH256 hash:
11ff9060f8ef1c7453c87befe93ce34c99a75e372bc5789d6bf8413d1a2785a3
MD5 hash:
4a07b1244b808e9f186b04cd0d7c2d2b
SHA1 hash:
c3c5125e695a16a4145ba34e1890384f87b22c1f
Link:
https://www.unpac.me/results/b8a9734f-d9e8-415e-8673-1797a591abed/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4fb0f5d8aace8234fd8ed8d02b7d8b3643bbe5350904da254c2c0fdb16ecabe3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/810972/
  
Delivery method
Distributed via web download

Comments